Hi,
Just FYI. A certificate number 0x0123 was issued to
portal/wk-pc1.dl.ac.uk in 2003 and revoked because the email address was
not correct.
As Robert discovered during the GridPP meeting, there is some buggy code
that checks the CA against its own CRL (tut, tut) and as the CA happens
to have serial 0x0123 (but issued by a completely different CA, of
course), the code erroneously thought the UK CA had been revoked!
So Suleman unrevoked the 0x0123 (which we'd only do because it's long
dead, it actually still should be revoked) but was loath to push out a
new and strange CRL on a Friday afternoon (as it was then). Because he
used one of my scripts which also happens to add an extension (if you
remember, to debug yet another bug in software relying on certificates.
Why can't people just use the standard libraries that have actually been
written by mostly sane people and tested!?)
I forgot to publish it yesterday, so published it this morning. It has
0x0123 unrevoked, and an extension. We should probably have CRL
extensions permanently; I don't think anyone is using older versions of
Netscape any more, but you never know. We *could* also remove expired
certificates from the CRL; they would not matter for authentication,
only for people resurrecting expired certificates (e.g. through
CertWizard) and for signature checking (you don't trust a digital
signature made after the expiry date.)
Cheers
--jens
--
Dr Jens Jensen
Mad Scientist, Scientific Computing Department, STFC (www.stfc.ac.uk)
Rutherford Appleton Laboratory, Harwell Oxford Campus, OX11 0QX, UK
T/F +44(0)1235 446104/5945